diff --git a/cloudkitty/common/policy.py b/cloudkitty/common/policy.py index 9d55e1f8..0aac973b 100644 --- a/cloudkitty/common/policy.py +++ b/cloudkitty/common/policy.py @@ -23,6 +23,7 @@ from oslo_log import log as logging from oslo_policy import opts as policy_opts from oslo_policy import policy from oslo_utils import excutils +from oslo_utils import strutils from cloudkitty.common import policies @@ -108,8 +109,9 @@ def authorize(context, action, target): init() try: - LOG.debug('Authenticating user with credentials %(credentials)s', - {'credentials': context.to_dict()}) + LOG.debug( + 'Authenticating user with credentials %(credentials)s', + {'credentials': strutils.mask_dict_password(context.to_dict())}) return _ENFORCER.authorize(action, target, context, do_raise=True, exc=PolicyNotAuthorized, @@ -120,9 +122,12 @@ def authorize(context, action, target): LOG.exception('Policy not registered') except Exception: with excutils.save_and_reraise_exception(): - LOG.error('Policy check for %(action)s failed with credentials ' - '%(credentials)s', - {'action': action, 'credentials': context.to_dict()}) + LOG.error( + 'Policy check for %(action)s failed with credentials ' + '%(credentials)s', { + 'action': action, + 'credentials': strutils.mask_dict_password( + context.to_dict())}) def check_is_admin(context): diff --git a/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml new file mode 100644 index 00000000..2e78c723 --- /dev/null +++ b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Previously, cloudkitty-api recorded request token in plain text format when + a request does not comply with policy rules or debug log is enabled. This + has been fixed and now token is masked in logs.